Added signature verification (untested). See AI chat: https://chatgpt.com/share/b521328b-7d7e-4b51-ae1a-9efec2f307c6

This commit is contained in:
Kevin Veen-Birkenbach 2024-07-20 12:54:04 +02:00
parent ca6951d1fe
commit c5b091e3b3

View File

@ -172,6 +172,8 @@ case "$operation_system" in
;; ;;
esac esac
info "Verifying image..."
info "Verifying checksum..."
if [ -z "$image_checksum" ]; then if [ -z "$image_checksum" ]; then
for ext in sha1 sha512 md5; do for ext in sha1 sha512 md5; do
sha_download_url="$download_url.$ext" sha_download_url="$download_url.$ext"
@ -186,7 +188,6 @@ if [ -z "$image_checksum" ]; then
done done
fi fi
info "Verifying image..."
if [[ -v image_checksum ]] if [[ -v image_checksum ]]
then then
(info "Checking md5 checksum..." && echo "$image_checksum $image_path"| md5sum -c -) || (info "Checking md5 checksum..." && echo "$image_checksum $image_path"| md5sum -c -) ||
@ -197,6 +198,45 @@ if [[ -v image_checksum ]]
warning "Verification is not possible. No checksum is defined." warning "Verification is not possible. No checksum is defined."
fi fi
info "Verifying signature..."
signature_download_url="$download_url.sig"
info "Try to download image signature from $signature_download_url."
if wget -q --method=HEAD "$signature_download_url"; then
signature_name="${image_name}.sig"
signature_path="${image_folder}${signature_name}"
info "Download the signature file"
if wget -q -O "$signature_path" "$signature_download_url"; then
info "Extract the key ID from the signature file"
key_id=$(gpg --status-fd 1 --verify "$signature_path" "$image_path" 2>&1 | grep 'NO_PUBKEY' | awk '{print $NF}')
if [ -n "$key_id" ]; then
info "Check if the key is already in the keyring"
if gpg --list-keys "$key_id" > /dev/null 2>&1; then
info "Key $key_id already in keyring."
else
info "Import the public key"
gpg --keyserver keyserver.ubuntu.com --recv-keys "$key_id"
fi
info "Verify the signature again after importing the key"
if gpg --verify "$signature_path" "$image_path"; then
info "Signature verification succeeded."
else
warning "Signature verification failed."
fi
else
warning "No public key found in the signature file."
fi
else
warning "Failed to download the signature file."
fi
else
warning "No signature found under $signature_download_url."
fi
make_mount_folders make_mount_folders
set_partition_paths set_partition_paths